Security practitioner and risk thinker with 9+ years in cybersecurity and IT risk management. Writing about security, compliance, and the risks hidden in today’s interconnected business ecosystems.
I work at the intersection of cybersecurity, third-party risk, and supply chain resilience, helping organizations understand, assess, and manage the risks that come with relying on vendors, partners, and complex ecosystems. Whether it’s a gap analysis against NIS2, a compliance assessment under DORA, or building a practical Identity and Access Management (IAM) framework, my focus is always the same: making security work in the real world, not just on paper.
This site is where I think out loud. You’ll find writing on risk management, third-party security, compliance, and the tools and ideas that help turn complex requirements into practical programs.
When I’m not focused on security and risk, I’m probably tending the garden, training for my next Ironman, or spending quality time with my family.
The supply chain is now the primary way enterprise cyber risk materializes - here's what the numbers, the incidents, and the attackers themselves tell us about it.
Regulators, critical suppliers, and the uncomfortable truth that third-party risk is no longer procurement paperwork but a core security and resilience obligation.
A recurring monitoring stream focused on vendor incidents, control weaknesses, concentration risk, regulatory expectations, and operational signals that matter to third-party risk and resilience teams.
A recurring monitoring stream focused on sanctions, regional instability, trade restrictions, chokepoints, strategic dependencies, and geopolitical developments that can materially affect suppliers, logistics, and operational resilience.
Led a NIS2 gap analysis, mapping regulatory requirements alongside ISO 27001, ISAE3402, and SOC2 to the organization's internal control environment — a critical step in understanding supply chain exposure.
Assessed DORA compliance for a cryptocurrency and digital finance company, focusing on operational resilience in a space where third-party dependencies are evolving faster than regulations.
Performed a combined NIS2 and NIST gap analysis, advising on practical strategies to close compliance gaps across vendor-dependent infrastructure.
Oversaw the IT components of external financial statement audits, digging into access management, incident response, and change management processes — all areas where third-party risk often hides in plain sight.
Conducted IT and SWIFT audits, revising internal policies that directly impact how third-party transactions and communications are secured.
Developed and formalized IAM policies, strengthening the security posture across a supply chain that depends heavily on external partners and systems.
Guided the implementation and certification of ISO 27001:2022, building a security management system designed to scale with third-party growth.
Working on something in the risk space?
Let's talk.